LOL, that's just so someone (of a rival group) who tries to get their real IP address (to ddos them), finds that subdomain, and doesn't look closely, and goes to ddos the FBI.
Many automated scripts script kiddies use to DDoS will do a basic check for subdomains like "direct.domain.com" and "direct-connect.domain.com" if the target domain is behind Cloudflare, and the scripts are naive and immediately assume that's the server's real IP.
Setting it to the IP of a site they dislike is also a popular choice.
